Summary

2014 was widely proclaimed the “Year of the Data Breach”, but despite shareholders’ and regulators’ calls for greater transparency relating to boards’ oversight of cybersecurity risks, few 2015 corporate disclosure documents provided any evidence that things were changing. Boards need to understand investors’ perspectives and adopt best-practice approaches to cyber risk management and disclosure.

Target’s breach led to boardroom backlash

The aftermath of Target’s December 2013 data breach exemplified a lack of transparency relating to board-level oversight of cybersecurity risks, to the extent that ISS recommended that investors vote against the members of Target’s Audit and Corporate Responsibility committees at the company’s annual meeting.

Target tried to defend its response to the breach but investors were unconvinced: Governance professionals connected to nearly half of Target’s ten largest investors voted against one or more of the company’s directors.

Following the Target breach, Securities and Exchange Commission (SEC) commissioner Luis A. Aguilar warned boards that “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues.”

Shareholders care about data breaches

Some media reports postulate that the lack of sharp, downward stock movements after data breaches is caused by shareholder apathy but a recent Harvard Business Reviewarticle argues that muted stock price reactions to data breaches actually reflect the absence of useful information:

“Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value […] shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.”

According to a KPMG survey of more than 130 global institutional investors with an estimated $3 trillion under management, cybersecurity events do affect investor confidence. Respondents said that 43% of board members had “unacceptable skills and knowledge to manage innovation and risk in the digital world.” 79% of respondents suggested they would blacklist stocks of hacked firms.

68% of investors believe it is important for directors to discuss engaging external cybersecurity experts; only 42% of directors reported having done so.

55% of investors said it was important for boards to consider designating a CISO (chief information security officer); only 26 of directors reported discussing such an appointment.

45% of investors believe it is important for directors to discuss the NIST cybersecurity framework; only 21% of directors reported having done so.

ISS policy respondents indicate a disclosure framework

In 2014, ISS asked institutional investors to weigh the factors they assess when reviewing boardroom oversight of risk, including cyber threats. The majority of respondents said that “very” or “somewhat” important factors are:

role of the company’s relevant risk oversight committee(s)

the board’s risk oversight policies and procedures

directors’ oversight actions prior to and subsequent to the incident(s)

changes in senior management.

The third and fourth points are perhaps the most interesting. Shareholders are not looking for scapegoats: 85% of respondents thought it “very important” that directors learn lessons from cybersecurity incidents but only 46% of shareholders indicated that changes in senior management were “very important” to them when it came time to vote on director oversight.

2015 disclosures provide few insights

Many boards fail to disclose cyber threats in their mandatory statements, but one notable exception is Home Depot, whose response aligns with the investor responses above: Following the company’s data breach in 2014, which affected up to 56 million customers, its proxy statement provided a concise explanation of the steps taken by the board before and after the incident, including a brief summary of the depth and duration of the breach, an explanation of the board’s delegation of oversight responsibility to the audit committee, and an outline of remedial steps that the board took in response to the event.

Boards would benefit from engagement and disclosure

While it is good that cybersecurity has come to the fore for many directors, shareholders are generally still not getting the transparency they need to assess the quality of boardroom oversight, as the vote against Target’s board discussed above demonstrates.

Target’s lessons learned

Following its 2014 meeting, Target spoke with shareholders representing approximately 41% of shares voted. In light of this feedback, the board “embarked on a comprehensive review” of risk oversight at management, board, and committee levels.

Boards would do well to implement cyber risk management best practice and improve risk oversight at management, board and committee levels – or risk losing investor confidence.

Best-practice cyber risk management

The international standard ISO 27001 sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.

Registration to the Standard demonstrates to investors, stakeholders, customers, and staff that information security best practice is being followed.